Hello SharePoint guys,

In my day-to-day and research tasks, I often create app principals in SharePoint Online. They might have various privileges according to my needs. (Read-Only, Write, Full Control on Lists, Webs or Site collections). One thing I never needed to use so far is an App Principal with Full Control privileges on the whole tenant.

Actually, there are some unusual steps to achieve comparing to other scenarios. I then decided to write down a few words about my own investigations and hope it will help !

My external management app (not a SharePoint add-in) requires app-only full privileges on the whole tenant.

Trying the usual way

I go to the default site collection of my tenant and reach the usual appregnew.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appregnew.aspx) and register my app principal.

appregnew

As usual, I need to keep the generated info in a safe location… (Client Id, Client Secret)

The usual second step to achieve is to grant my app principal the permissions I want it to have, I need to go to the appinv.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appinv.aspx). Lookup my app Id and give it the proper permissions XML.

appinv fullcontrol tenant

I know the XML must be


<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

And I know I’ll be redirected to a page asking me if I trust this application, but…

TrustAppDisabled

There are 2 unusual things here:

  1. A red message that reads “Your tenant administrator has to approve this app.
  2. The greyed out “Trust it” button that I usually need to click

Well, pretty annoying since I am currently the tenant administrator….

Ok, Let’s adapt…

I suspect, for some security reasons I need to do it from the SharePoint admin center. I will probably have to register the app principal from https://yourtenant-admin.sharepoint.com/_layouts/15/appregnew.aspx

accessdenied-appregnew-admin

Dead end…

By the way, it is a quite odd error message because, I am still logged in as the tenant administrator.

 

 

OK, I cannot create a new app principal from the SharePoint Admin center but maybe I can grant permissions to the one I created previously ? Let’s try it !

I go to https://yourtenant-admin.sharepoint.com/_layouts/15/appinv.aspx, Hey I reach a page !

spadmincenter-appinv

 

Except some different styling, this page looks familiar ! I try to lookup for my App Id and I find it !

 

spadmincenter-trustapp

 

 

 

 

 

 

 

Let’s enter the permissions XML here and click Create.

It looks like it is working !

 

OK, Last thing is to make sure my app principal has the proper permissions. In a PowerShell console with PnP PowerShell properly installed, enter the following commands

$ Connect-PnPOnline https://<your-tenant>-admin.sharepoint.com -AppId <your-app-id> -AppSecret <your-app-secret>
$ Get-PnPTenantSite

pnpps-gettenantsite

 

I get the list of the available site collections which means my credentials are valid !

 

Note

This seems to be a behavior that changed over time (at least on SharePoint Online,  you might find some outdated content on the Internet saying you can use the regular way to give tenant-scope privileges to app principals but it is no longer valid since august 2016.

After my own investigations, I wanted to confirm them and after a bit of googling I found this : https://msdn.microsoft.com/en-us/pnp_articles/how-to-provide-add-in-app-only-tenant-administrative-permissions-in-sharepoint-online (as always a PnP article 😉 Damn, they cover so much ! Thanks guys !)

I hope this will help people who encountered the same issue as I did. Do not hesitate to leave comments !

See ya !

Yannick